When headlines shout about a cyber-attack on a household name like Marks & Spencer, it’s natural to feel a bit uneasy about making a data breach claim – especially if you’re a loyal customer. No one wants to feel like they’re adding to the pressure or damaging a business they love. But in this case, you don’t need to worry: M&S has insurance.
What happened in the M&S cyber attack 2025?
In late April 2025, M&S suffered a significant cyber-attack, reportedly orchestrated by the hacker group Scattered Spider. This attack disrupted various services, including online orders and contactless payments, and led to the theft of customer data such as names, addresses, dates of birth, and order histories.
The financial impact has been substantial. And, in response, M&S is now looking to make a £100 million claim on its cyber insurance policies. That figure tells you something big: M&S was prepared – with insurance in place to cover the costs of incidents like this.
What does that mean for you?
Comprehensive cyber insurance policies often include cover for:
- Legal liability from data breaches, including regulatory fines (where insurable)
- Costs of defending litigation, including class/group actions
- Compensation to affected individuals if the business is found to be at fault
- Crisis management and PR support
- Breach notification and credit monitoring services
So if a group action were to succeed, the insurer would pick up the tab.
Because M&S has cyber cover in place, if you choose to join a group action claim, you can feel confident that M&S’s insurance is likely to foot the bill – not the business itself.
The only reason this claim might be denied is if the insurers believe M&S misrepresented their cyber risk and resilience. And if that is the case, then M&S will have bigger questions to answer.
You still need to protect yourself
While the insurance should cover most of the financial impact, it’s still important to stay alert. We always recommend carrying out some basic cyber hygiene after a data breach, including:
- Changing your passwords (especially if you reuse them across accounts)
- Enabling two-factor authentication where possible
- Being cautious of phishing scams
- Monitoring your bank and online accounts regularly
We advise all M&S customers to stay vigilant and take steps to protect themselves from further harm. There is some advice on how to do this here.
Should I claim after M&S data breach?
It’s always unsettling when a big-name brand falls victim to a cyber-attack. But in this case, M&S is doing what it should: using its insurance to take the potential financial hit.
If you think you’ve been affected by the M&S data breach, you can find out more about the group action claim by clicking the button below.
Join the Claim connects consumers with SRA-regulated lawyers. Visit the claim page to check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, you can register your interest and we’ll keep you informed if a partner firm decides to take a claim forward.
